Missing original value after using distinct query

michaelhoang · ‎07-21-2019

Hi,
I am having the following issue that need your help.
The scenario is: I am working on the report of firewall data in Splunk. The requirement is getting the distinct destination connected by source address. The table should contain: Source Address, Destination Address and Distinct count the number of Destination address connected by Source.
I am trying to use the dc query to get the distinct count for destination address but when doing table, i only can get source and distinct count number but the destination address value is missing.
Here is the query that I am using:

sourcetype="aws:cloudwatchlogs:vpcflow"
| dedup src dest | stats dc(dest) as
Count by src | table src dest Count |
sort src

Below is the output of the query:

Please help to suggest what query should I use to retain the destination address value.
Thanks,
Michael

renjith_nair · ‎07-21-2019

@michaelhoang ,

Try

sourcetype="aws:cloudwatchlogs:vpcflow"
| stats dc(dest) as Count,values(dest) as dest by src

OR

    sourcetype="aws:cloudwatchlogs:vpcflow"
    | stats dc(dest) as Count  by src,dest|eventstats sum(Count) as Count by src

---
What goes around comes around. If it helps, hit it with Karma 🙂

Missing original value after using distinct query

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Missing original value after using distinct query

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?